On 9 February 2022, the European Data Protection Board (“EDPB“) published its Opinion 1/2022 on the draft decision of the Luxembourg Supervisory Authority regarding the GDPR–CARPA certification criteria (“Opinion“). This is the first time the EDPB adopts a consistency opinion on the criteria for a certification scheme.
Primarily, the EDPB highlights that this certification scheme is not meant for international personal data transfers, and thus, it does not provide appropriate safeguards within the meaning of Article 46 (2) (f) of the GDPR.
Among others, the EDPB considers that the GDPR–CARPA certification criteria may lead to an inconsistent application of the GDPR. In order to fulfill the requirements imposed by Article 42 of the GDPR iin light of the EDPB Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation and the Addendum thereto, several amendments are deemed necessary on the following aspects:
- scope of the certification mechanism and target of evaluation;
- procedure to determine a target of evaluation;
- certification criteria;
- lawfulness of processing;
- principles of Article 5;
- general obligations for controllers and processors;
- rights of data subjects;
- risks for the rights and freedoms of natural persons;
- technical and organizational measures guaranteeing protection.